AI Threat Alert
GHSA-93rg-2xm5-2p9v: openclaw: auth bypass exposes Gateway bootstrap config
GHSA-93rg-2xm5-2p9v MEDIUMopenclaw's Gateway Control UI bootstrap config endpoint could be read by any unauthenticated network actor in versions up to 2026.4.21, potentially exposing sensitive configuration fields intended only for authenticated sessions. With only 4 downstream npm dependents and no EPSS data or CISA KEV entry, immediate active exploitation at scale is unlikely — but this is one of 135 CVEs in the same package, a signal of persistent security hygiene problems worth factoring into third-party AI agent risk decisions. The fix is already published: upgrade to openclaw 2026.4.22, or immediately restrict network access to the Gateway Control UI via firewall or reverse proxy ACLs while patching is scheduled. Rotate any credentials or tokens that may have been exposed through the endpoint.
What is the risk?
Medium risk with low exploitation complexity. No authentication or special privileges are required — an adversary with network access to the Gateway Control UI can read the bootstrap config in a single HTTP request. The severity of impact depends on what sensitive fields the config exposes (credentials, internal endpoints, tool definitions), which could enable follow-on attacks against connected AI agent infrastructure. Blast radius is limited to organizations running openclaw as a gateway component, with 4 known npm dependents. The package's history of 135 prior CVEs suggests systemic security debt that elevates overall supply chain risk beyond this individual finding.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.21 | 2026.4.22 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
1) Upgrade openclaw to version 2026.4.22 immediately — the fix enforces Gateway read-auth on the bootstrap config route with regression tests covering unauthenticated rejection. 2) If patching is delayed, restrict network access to the Gateway Control UI via firewall rules, reverse proxy ACLs, or WAF — deny unauthenticated access to the bootstrap config endpoint. 3) Rotate any credentials, API tokens, or secrets that may have been accessible through the bootstrap config. 4) Review Gateway Control UI access logs for unauthorized requests to the bootstrap config endpoint predating the patch. 5) Given the package's 135-CVE history, conduct a broader risk assessment of openclaw as a dependency and evaluate whether the ongoing vulnerability cadence justifies continued use in critical AI agent infrastructure.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-93rg-2xm5-2p9v?
openclaw's Gateway Control UI bootstrap config endpoint could be read by any unauthenticated network actor in versions up to 2026.4.21, potentially exposing sensitive configuration fields intended only for authenticated sessions. With only 4 downstream npm dependents and no EPSS data or CISA KEV entry, immediate active exploitation at scale is unlikely — but this is one of 135 CVEs in the same package, a signal of persistent security hygiene problems worth factoring into third-party AI agent risk decisions. The fix is already published: upgrade to openclaw 2026.4.22, or immediately restrict network access to the Gateway Control UI via firewall or reverse proxy ACLs while patching is scheduled. Rotate any credentials or tokens that may have been exposed through the endpoint.
Is GHSA-93rg-2xm5-2p9v actively exploited?
No confirmed active exploitation of GHSA-93rg-2xm5-2p9v has been reported, but organizations should still patch proactively.
How to fix GHSA-93rg-2xm5-2p9v?
1) Upgrade openclaw to version 2026.4.22 immediately — the fix enforces Gateway read-auth on the bootstrap config route with regression tests covering unauthenticated rejection. 2) If patching is delayed, restrict network access to the Gateway Control UI via firewall rules, reverse proxy ACLs, or WAF — deny unauthenticated access to the bootstrap config endpoint. 3) Rotate any credentials, API tokens, or secrets that may have been accessible through the bootstrap config. 4) Review Gateway Control UI access logs for unauthorized requests to the bootstrap config endpoint predating the patch. 5) Given the package's 135-CVE history, conduct a broader risk assessment of openclaw as a dependency and evaluate whether the ongoing vulnerability cadence justifies continued use in critical AI agent infrastructure.
What systems are affected by GHSA-93rg-2xm5-2p9v?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, gateway-managed agent deployments, multi-agent orchestration systems.
What is the CVSS score for GHSA-93rg-2xm5-2p9v?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0002.002 AI Agent Configuration AML.T0049 Exploit Public-Facing Application AML.T0083 Credentials from AI Agent Configuration AML.T0084 Discover AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting.
Exploitation Scenario
An adversary performing reconnaissance against an organization's AI agent infrastructure identifies an exposed openclaw Gateway Control UI. Without any credentials, they issue a single unauthenticated HTTP GET to the bootstrap config endpoint and receive a JSON response containing internal service URLs, authentication token configurations, or agent tool definitions. Armed with this configuration map, the adversary identifies connected services for lateral movement, extracts API keys to impersonate the agent, or tailors a prompt injection payload to exploit known tool definitions — all from a single unauthenticated request before the organization detects any anomaly.
Weaknesses (CWE)
CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
- [Architecture and Design] Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw